lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 May 2004 17:24:39 +0100 (MEST)
From: "Aleksandar Milivojevic" <alex@...ivojevic.org>
To: bugtraq@...urityfocus.com
Subject: Somebody exploiting (badly designed) yahoo service?


I don't know if this is something new, or something old.

Yeasterday I received couple of emails (apperently from people I know). 
Emails were text/html, and contained only this text:

http://drs.yahoo.com/milivojevic.org/NEWS

Text was acutally linked to:

http://drs.yahoo.com/milivojevic.org/NEWS/*http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs.yahoo.com/milivojevic.org/NEWS

Downloading the above link using wget, drs.yahoo.com redirects to:

http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/

This page contains some JavaScript (after couple of empty screens) that
seems to open off-screen window (or at least it looks like that to me) and
loads terra.html from the same site.  Downloading terra.html using wget,
there's some more JavaScript (again after several empty screens) and some
obfuscating code inside that I haven't analyzed in depth.

Anybody seen this before?  Is this some kind of virus, worm, spyware, or
simply a spam?  Looking at received headers of emails, it doesn't look
like spam.  When I contacted the people who were listed as senders, they
said they never sent it (but that they suspect they might be infected by
some virus).

I'll be contacting Yahoo about this (obviously, whatever they have at
drs.yahoo.com isn't designed with security in mind), however I'm
interested if anybody else saw/got this, and if he/she knows what it is.

Thanks for any info/pointers

Aleksandar Milivojevic


Powered by blists - more mailing lists